A classic local unicode buffer overflow vulnerability has been discovered in the official Clone2Go Video to iPod Converter v2.5.0 software. The vulnerability allows local attackers to gain higher system or access privileges by exploitation of a classic unicode buffer overflow vulnerability.

Local attackers with low- privilege system user account or restricted system privileges are able to compromise the local system by exploitation of a classic unicode buffer overflow vulnerability. The local attacker copies a specific byte size string to the options index files input to overflow the process and overwrite the registers like ECX,EBX or EIP. Thus allows the local attacker to takeover the system process of the software client to compromise the local system/server.

Product & Service Introduction:
===============================
Video to iPod Converter is a powerful and easy-to-use iPod video conversion software tool for Apple iPod fans. With this video converter for iPod, you can convert videos in almost any popular video format, including AVI, WMV, ASF, MOV, MP4, RM, RMVB, FLV, MKV, AVS, MPG, VOB for playback on the new iPod touch, iPod classic, iPod nano 5G with camera.

(Copy of the Vendor Homepage: http://www.clone2go.com/)

Date of Discovery:
==================
2018-09-11

Exploitation Technique:
=======================
Local

Platfom Tested:
===============
Windows 7

Solution – Fix & Patch:
=======================
Restrict the Set Output folder input by size and allocate the memory to deny to overflow the process by interaction with the vulnerable input field.

Levels Risk :

Proof of Concept (PoC):
=======================
The local buffer overflow vulnerability can be exploited by local attackers with restricted system user account without user interaction. For security demonstration or to reproduce follow the provided information and steps below to continue.